Sister CISA CISSP:

December, 2008

OK, so you've bought the glow-in-the-dark, meets all the compliance requirements and looks really shiny "security solution" from a vendor (one or many).
Or maybe your management has bought it and presented it to you as a fait accompli. (Hope I'm spelling that fancy French right!) And of course...

In my travels as an auditor this year, I've visited 15 states and seen approximately 20 different networks, both LAN and WAN. I've audited hospitals, lotteries, racetracks, banks, small businesses, large online retailers, metal fabricators, telco service bureaus and health care service...

For saying the blindingly obvious:
"Companies and schools should find new ways to authenticate the identities of customers, employees and students that do not involve social security numbers, a U.S. consumer protection agency said on Wednesday as part of recommendations to fight identity...

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.
So if I do an account balance request, that comes up in the log. ...

The new PCI (Payment Card Industry) Data Security Standards, Release 1.2 came out in October, and are worth taking a look. They've added some updated recommendations (like getting rid of WEP entirely by 2010), and I especially liked some of the following features:
Compensating...

Information about consumer purchases, habits and history have become multi-billion dollar treasure troves for businesses to sell and mine for others.
Specialized, targeted information from consumer databases held by banks and other financial institutions are being used to develop business...

About This Blog

Are IT Engineers and IT Auditors natural enemies? Having worked on both sides of the fence, I have a unique understanding of the common ground of these disciplines. It all comes down to competence. Can you say SAS 70, (ooops, SSAE16), PCI, SOX404, Digital Forensics, Pentesting ...Geek?